ICO releases statement on regulatory approach during COVID-19

The Information Commissioner’s Office (ICO) has recently published a document setting out its regulatory approach during the coronavirus public health emergency. The ICO acknowledged the many challenges faced by organisations amidst the pandemic, such as staff and operating capacity shortages, financial pressures and the need to redeploy resources to meet the front-line demands. In light of these obstacles, the ICO made a commitment to be pragmatic and empathetic and will focus its efforts on the most serious threats to the public. Additionally, the ICO promised to take firm action against those breaching data protection laws to take advantage of the current situation. The ICO concluded by acknowledging that some effects of the crisis will be felt for a significant time after the emergency’s end and therefore it is possible that it will need to maintain this flexibility in certain areas for many months to come. Please see some further details of points covered by the ICO below:

Compliance - The ICO will continue to recognise rights and protections granted to individuals by the law, but it will be more flexible in its regulatory response during the crisis. For example, organisations should continue to report personal data breaches without undue delay and within 72 hours of becoming aware of it, but the ICO will take into account the possible impacts of the current situation when considering any failure to do so.

Enforcement - The new approach may also mean less use of the ICO’s formal powers requiring organisations to provide evidence. When deciding on whether to take formal action, including imposing fines, the ICO will consider whether the organisation has plans to resolve the issue after the crisis and whether the quantum of fines should be lower. It will also take into account the impact of the pandemic on the organisation’s ability to respond to data subject requests. In addition, the ICO is considering allowing longer periods to rectify breaches predating the pandemic where the crisis has an impact on the organisation’s ability to carry out remedying steps.

Guidance - The ICO provided reassurance that it will consider the economic and resource burden its actions may place on the organisations and plans to review the impact of new guidance, for example, delaying its publication if it would impose a burden on organisation that could result in diverting staff from frontline duties. In particular, the ICO committed to identifying and fast tracking advice, guidance and tools that would help businesses to deal with or recover from the crisis.

Innovative use of data - The ICO also briefly mentioned innovative uses of data (e.g. geolocation and geospatial information) which it dealt with separately by publishing a series of questions that organisations should consider when making use of and developing contact tracing and location tracking technologies. This follows the publication of the European Commission’s guidance on apps supporting the fight against the coronavirus pandemic and the EU toolbox on contact tracing apps. The guidance focuses on voluntary apps with functionalities such as symptom checkers, contact tracing and warning, telemedicine and provision of accurate information on the coronavirus pandemic. The European Commission recognised the importance of these technologies in tackling the spread of coronavirus, but stated that the privacy values and requirements should not be compromised.

Next steps - Despite the ICO’s assurances of flexibility, organisations should take a cautious approach and make the best effort to continue to comply with their data protection obligations. Organisations may want to consider whether there are any particular data protection related pressure points in the organisation that are affected by the COVID-19 crisis and how these should be addressed. However, as the data protection requirements referred to by the ICO will not be automatically disapplied organisations should bear in mind that the ICO will be considering each organisation’s individual circumstances, so any change in policy will need to be supported by clear reference to genuine and unavoidable hindrance to operations and attempts to mitigate in line with the principles of data protection.